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After  looking  at  the  security  literature,  you  will  find 
secrecy  is  formalized  in  different  ways,  depending  on 
the  application.  Applications  have  threat  models  that 
influence  our  choice  of  secrecy  properties.  A  property 
may  be  reasonable  in  one  context  and  completely  un¬ 
satisfactory  in  another  if  other  threats  exist. 

The  primary  goal  of  this  panel  is  to  foster  discussion 
on  what  sorts  of  secrecy  properties  are  appropriate  for 
different  applications  and  to  investigate  what  they  have 
in  common.  We  also  want  to  explore  what  is  meant  by 
secrecy  in  different  contexts.  Perhaps  there  is  enough 
overlap  among  our  threat  models  that  we  can  begin  to 
identify  some  key  secrecy  properties  for  wider  appli¬ 
cation.  Currently,  secrecy  is  treated  in  rather  ad  hoc 
ways.  With  some  agreement  among  calculi  for  express¬ 
ing  protocols  and  systems,  we  might  even  be  able  to 
use  one  another’s  proof  techniques  for  proving  secrecy! 

Four  experts  were  invited  as  panelists.  Two  pan¬ 
elists,  Riccardo  Focardi  and  Martin  Abadi,  represent 
formalizations  of  secrecy  as  demanded  by  secure  sys¬ 
tems  that  aim  to  prohibit  various  channels,  or  insecure 
information  flows.  More  specifically,  they  represent 
noninterference-based  secrecy.  The  other  two  panelists, 
Cathy  Meadows  and  Jon  Millen,  represent  formaliza¬ 
tions  of  secrecy  for  protocols  based  on  the  Dolev-Yao 
threat  model  [2].  Below  are  some  specific  questions 
that  were  asked  of  each  of  the  panelists: 

1.  Secrecy  is  sometimes  formulated  as  a  “safety” 
property  in  protocol  analysis  where  one  is  con¬ 
cerned  with  whether  an  intruder  learns  a  specific 
value  (a  secret) .  Such  a  criterion  is  inadequate  for 
guaranteeing  secure  information  flow  in  systems 
where  secrets  can  always  be  encoded  or  transmit¬ 
ted  in  covert  ways.  Leaks  arising  by  indirect  flows 
from  within  a  process  executing  a  protocol  seem 
as  dangerous  as  those  caused  by  message  exchange 
with  an  adversary.  This  is  especially  true  of  crypto 
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protocols  whose  implementations  normally  admit 
cryptanalytic  attacks.  So  why  does  protocol  anal¬ 
ysis  adopt  a  different  criterion? 

2.  Is  there  a  secrecy  property  for  protocols  and  sys¬ 
tems?  Is  it  noninterference  (NI)  based?  One  key 
problem  is  encryption.  It  blows  Nl-based  formu¬ 
lations  apart.  How  can  we  cope  with  it?  Do  we 
assume  perfect  encryption  and  fiddle  with  notions 
of  equivalence  until  we  get  the  ’’desired  effect”? 
Or  do  we  use  techniques  that  are  more  sensitive 
to  the  computational  complexity  of  compromising 
secrets? 

3.  Can  we  study  protocol  secrecy  within  the  same 
framework  as  that  used  for  information  flow  in  a 
concurrent  setting?  If  not,  why? 

4.  Suppose  Mallory  imitates  Bob  in  a  key  establish¬ 
ment  protocol  with  Alice,  to  get  Alice  to  accept  a 
key  that  Mallory  knows.  Is  this  a  failure  of  secrecy 
because  Alice  incorrectly  believes  that  the  key  is 
known  only  to  Bob  and  herself? 

Panelists  were  asked  to  try  to  respond  to  these  ques¬ 
tions  or  provide  questions  that  they  feel  are  more  ap¬ 
propriate.  Their  responses  are  given  in  the  following 
sections.  Thanks  to  the  panelists  for  participating. 

1.  Martin  Abadi’s  Reply 

Suppose  that  we  wish  to  require  that  a  protocol  pre¬ 
serve  the  secrecy  of  one  of  its  parameters,  x.  The 
protocol  should  not  leak  any  information  about  x — 
in  other  words,  the  value  of  x  should  not  interfere  with 
the  behavior  of  the  protocol  that  the  environment  can 
observe.  The  parameter  x  may  denote  the  identity  of 
one  of  the  participants  or  the  sensitive  data  that  is 
sent  encrypted  after  a  key  exchange.  In  general,  we 
cannot  express  this  secrecy  property  as  a  predicate  on 
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behaviors.  On  the  other  hand,  representing  the  pro¬ 
tocol  as  a  process  P{x),  we  may  express  the  secrecy 
property  by  saying  that  P{M)  and  P{N)  are  equiv¬ 
alent  (or  indistinguishable),  for  all  possible  values  M 
and  N  for  x.  Here  we  say  that  two  processes  Pi  and  P2 
are  equivalent  when  no  third  process  Q  can  distinguish 
running  in  parallel  with  Pi  from  running  in  parallel  in 
P2  ■  This  notion  of  process  equivalence  (testing  equiv¬ 
alence)  has  been  applied  to  several  classes  of  processes 
and  with  several  concepts  of  distinguishability,  some¬ 
times  accounting  for  cryptographic  operations. 

Approaches  based  on  predicates  on  behaviors  rely 
on  a  rather  different  definition  of  secrecy,  which  can  be 
traced  back  to  the  influential  work  of  Dolev  and  Yao. 
According  to  that  definition,  a  process  preserves  the 
secrecy  of  a  piece  of  data  M  if  the  process  never  sends 
M  in  clear  on  the  network,  or  anything  that  would 
permit  the  computation  of  M,  even  in  interaction  with 
an  attacker. 

Neither  definition  of  secrecy  implies  the  other.  The 
first  one  concerns  a  process  with  a  free  variable  x,  while 
the  second  one  concerns  a  process  and  a  term  with  no 
free  variables.  With  the  first  definition,  we  can  say 
that  P{x)  preserves  the  secrecy  of  the  value  of  x  even 
when  this  value  may  be  a  boolean;  with  the  second 
one,  it  does  not  make  much  sense  to  talk  about  a  se¬ 
cret  boolean.  In  addition,  the  first  definition  rules  out 
implicit  information  flows,  while  the  second  one  does 
not.  While  the  exact  relations  between  the  definitions 
remain  unclear,  I  believe  that  the  first  one  represents  a 
more  compelling  criterion,  and  that  the  second  one  is  a 
useful  approximation  that  fits  better  into  some  formal 
frameworks. 

2.  Riccardo  Focardi’s  Reply 

Non-Interference  (NI)  has  been  introduced  with  the 
aim  of  formalizing  security  policies  in  systems.  In  par¬ 
ticular,  given  two  groups  of  users  A  and  B,  the  require¬ 
ment  “A  must  not  interfere  with  B”  basically  imposes 
that  what  is  done  by  users  in  A  cannot  modify  in  any 
way  the  behaviour  of  the  users  in  B.  Asa  consequence, 
we  obtain  that  the  information  which  is  known  by  users 
in  A  can  never  be  revealed  to  users  belonging  to  B. 
This  gives  us  a  strong  notion  of  secrecy  (in  systems). 
For  example,  through  NI  requirements,  we  can  easily 
formalize  a  multilevel  security  policy  by  requiring  that 
users  at  a  certain  confidentiality  level  do  not  interfere 
with  users  at  a  lower  level. 

Indeed,  NI  is  a  general  concept  that  can  also  be  prof¬ 
itably  applied  in  other  settings,  as  it  simply  verifies  if 
someone  is  able  to  induce  a  new  (potentially  danger¬ 
ous)  behaviour.  As  an  example,  NI  has  already  been 


successfully  exploited  for  the  automatic  verification  of 
cryptographic  protocols.  Usually,  when  we  consider  a 
cryptographic  protocol,  we  would  like  to  be  guaran¬ 
teed  that  no  enemy  is  able  to  introduce  any  “undesir¬ 
able  behaviours” .  This  is  exactly  what  NI  requires.  For 
example,  for  secrecy  an  “undesirable  behaviour”  is  rep¬ 
resented  by  the  leaking  of  (secret)  information  which  is 
detectable  by  simply  observing  the  state  of  the  enemy. 

This  reflects  the  power  and  the  limitations  of  the 
use  of  Nl-based  properties  in  the  analysis  of  security 
protocols: 

•  On  one  hand,  the  generality  of  NI  makes  it  possi¬ 
ble  to  detect  in  the  same  analysis  completely  dif¬ 
ferent  attacks  (e.g.,  secrecy  and  authentication). 
This  could  increase  the  probability  of  finding  new 
attacks,  since  we  do  not  need  to  fix  in  advance  the 
specific  security  property  to  be  checked; 

•  On  the  other  hand,  this  kind  of  analysis  requires 
an  additional  effort  in  identifying  which  are  the 
“undesirable  behaviours”,  i.e.,  which  of  the  re¬ 
vealed  behaviours  are  attacks  and  which  are  not. 
However,  when  it  is  possible  to  reveal  an  attack  by 
observing  few  well-defined  events,  e.g.,  in  secrecy 
analyses,  this  task  becomes  trivial. 

Finally,  NI  seems  to  be  a  good  unifying  approach  to 
computer  and  network  security.  As  a  matter  of  fact, 
after  the  underlying  model  has  been  enriched  (in  some 
way)  in  order  to  deal  with  cryptography,  NI  can  be  used 
to  analyze  protocol  secrecy  within  the  same  framework 
as  that  used  for  information  flow  in  systems. 

3.  Cathy  Meadows’  Reply 

Most  of  the  work  that  has  been  done  on  applying 
formal  methods  to  cryptographic  protocols  has  relied 
upon  the  Dolev- Yao  model,  in  which  both  intruders 
and  honest  participants  have  access  to  a  finite  num¬ 
ber  of  well-defined  operations  obeying  a  finite  set  of 
algebraic  rules.  In  this  model  the  secrecy  problem  re¬ 
duces  to  the  problem  of  determining  whether  or  not 
an  intruder  can  learn  a  specific  word  by  combining  the 
set  of  operations  available  to  it  with  the  set  of  oper¬ 
ations  performed  by  the  legitimate  participants  in  the 
protocol.  This  is  a  very  simple  notion  of  secrecy:  the 
intruder  either  learns  the  word  or  doesn’t.  Thus  it 
avoids  dealing  with  the  question  of  whether  or  not  the 
intruder  can  learn  information  about  a  word  or  key 
that  would  help  in  cryptanalysis,  whether  or  not  the 
intruder  learns  relationships  between  words  (for  exam¬ 
ple  the  relationship  between  a  message  and  its  sender) , 
and  whether  a  conspirator  can  encode  secret  informa¬ 
tion  in  the  execution  of  the  protocol.  On  the  other 
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hand,  the  Dolev-Yao  model  gives  the  protocol  analyst 
a  powerful  tool  for  understanding  a  wide  range  of  au¬ 
thentication  properties  that  can  be  guaranteed  by  a 
cryptographic  protocol. 

This  is  in  marked  contrast  to  the  notion  of  secrecy 
used  in  information  flow,  in  which  it  is  attempted  to 
determine  whether  one  untrusted  process  H  could  pass 
information  to  another  untrusted  process  L  by  deter¬ 
mining  whether  or  not  H  has  any  effect  on  the  system 
that  is  visible  to  L.  Not  only  is  this  a  much  more  subtle 
notion  of  secrecy  than  the  Dolev-Yao  version,  relying 
on  knowledge  of  possible  as  well  as  actual  behavior,  but 
the  trust  model  is  different:  in  the  Dolev-Yao  model  the 
holders  of  secrets  are  trusted,  while  in  the  information 
flow  model  the  holder  of  secrets  H  is  untrusted,  and  it 
is  up  to  the  system  to  provide  the  guarantee  that  H 
does  not  reveal  information. 

Since  the  models  satisfy  such  different  requirements, 
it  is  difficult  to  “defend”  one  against  the  other.  How¬ 
ever,  it  does  make  sense  to  ask  how  they  could  be  made 
to  work  together  in  a  system  that  must  satisfy  multi¬ 
level  security  requirements  and  also  engage  in  authen¬ 
tication  protocols.  For  example,  we  might  want  to  con¬ 
sider  a  system  in  which  a  subject  is  trusted  to  engage 
properly  in  a  cryptographic  protocol,  but  may  or  may 
not  be  trusted  not  to  leak  information  via  covert  chan¬ 
nels. 

In  order  to  understand  how  the  two  notions  of  se¬ 
curity  can  be  made  to  work  together,  we  may  want 
to  look  at  another  notion  of  security  for  systems:  the 
type  provided  by  access  control  policies.  In  the  access 
control  model,  as  in  the  Dolev-Yao  model,  the  system 
consists  of  a  set  of  principals  (subjects),  some  of  whom 
may  be  dishonest,  a  set  of  objects,  and  a  finite  set  of 
operations  that  may  be  performed  on  the  objects,  such 
as  creation,  deletion,  and  the  granting  and  removing  of 
access  rights.  As  in  the  Dolev-Yao  model,  the  notion  of 
secrecy  is  simple;  it  boils  down  to  determining  whether 
or  not  a  subject  can  gain  read  access  to  an  object.  And, 
also  as  in  the  Dolev-Yao  model,  it  is  possible  to  use  the 
finite  set  of  operations  to  model  a  wide  range  of  access 
control  policies  and  requirements. 

A  number  of  attempts  have  been  made  to  unify  ac¬ 
cess  control  models  with  information-flow  type  models, 
with  some  success.  The  Bell-Lapadula  model  was  per¬ 
haps  the  first;  it  foundered  on  the  question  of  down¬ 
grading.  The  ability  to  downgrade  data  is  necessary, 
but  it  also  violates  a  straightfoward  information  flow 
policy,  since  it  is  an  obvious  flow  from  High  to  Low. 
Intransitive  noninterference  policies  attempt  to  rec¬ 
tify  this  situation  by  allowing  information  to  flow  only 
through  certain  channels,  such  as  downgraders.  Other 
work,  such  as  that  of  Simon  Foley  [3],  has  concentrated 


on  developing  a  framework  that  allows  complex  struc¬ 
tures  of  information  flow  requirements. 

An  approach  like  the  above  would  allow  us  to  inte¬ 
grate  cryptographic  protocol  analysis  into  the  informa¬ 
tion  flow  model,  but  at  the  possible  price  of  ignoring 
information  flow  risks  that  could  arise  from  deliberate 
information  leakage  during  the  execution  of  the  proto¬ 
col.  For  this  we  might  want  to  look  at  work  that  has 
been  done  in  the  cryptographic  community  to  address 
this  very  problem  -  known  as  “subliminal  channels” 
in  this  context  [1].  However,  this  work  introduces  an 
added  expense:  the  introduction  of  a  trusted  warden 
to  verify  the  absence  of  subliminal  messages.  More¬ 
over,  most  of  the  existing  work  is  applicable  only  to 
zero  knowledge  protocols,  which  have  seen  few  practial 
applications.  However,  a  closer  look  at  this  work  may 
give  us  ideas  for  applying  it  to  more  generally  appli¬ 
cable  protocols  and  to  integrating  it  with  information 
flow  models. 

4.  Jon  Millen’s  Reply 

It  may  seem  odd  that  an  apparently  primitive  con¬ 
cept  like  “secrecy”  could  be  formalized  in  several  dif¬ 
ferent  ways  within  a  single  application  area  such  as 
cryptographic  protocol  analysis.  But  we  already  have 
a  precedent  for  a  multiplicity  of  models  of  secrecy  in 
the  analysis  of  secure  operating  systems.  Figures  1  and 
2  show  the  analogy  between  the  two  subjects.  It  is  sug¬ 
gested  that  there  is  a  good  reason  for  having  more  than 
one  model,  and  that  similar  reasoning  applies  to  both 
areas. 

The  pyramid  pictures  illustrate  the  progression  from 
simple,  basic  policies  to  a  more  detailed  analysis  that 
focuses  on  localized  subsystems.  The  more  focused 
analysis  requires  more  detail  in  the  system  model.  In 
both  environments,  a  really  thorough  treatment  of  se¬ 
crecy  has  to  bring  in  Shannon’s  information  theory, 
which  implies  probabilistic  considerations. 

There  is  a  fundamental  difficulty  in  applying  nonin¬ 
terference  to  encryption,  namely  the  fact  that  changes 
in  plaintext  cause  changes  in  ciphertext.  In  a  proba¬ 
bilistic  context,  one  can  rephrase  secrecy  as  an  inability 
to  distinguish  secret  information  from  randomly  gen¬ 
erated  text. 
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